CVE-2018-5502 — Improper Certificate Validation in F5 Big-ip Domain Name System

CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager F5 Big-ip Analytics +10 more

Timeline

PublishedMar 22

Latest updateMay 14

Description

On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. This vulnerability affects virtual servers associated with Client SSL profile which enables the use of client certificate authentication. Client certificate authentication is not enabled by default in Client SSL profile. There is no control plane exposure.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages13 packages

▶NVDf5/big-ip_link_controller13.0.0 — 13.1.0.4

▶NVDf5/big-ip_domain_name_system13.0.0 — 13.1.0.4

▶NVDf5/big-ip_analytics13.0.0 — 13.1.0.4

▶NVDf5/big-ip_edge_gateway13.0.0 — 13.1.0.4

▶NVDf5/big-ip_webaccelerator13.0.0 — 13.1.0.4

🔴Vulnerability Details

GHSA

GHSA-4m7m-7666-wr24: On F5 BIG-IP versions 13↗2022-05-14

▶

CVEList

CVE-2018-5502: On F5 BIG-IP versions 13↗2018-03-22

▶

📋Vendor Advisories

CVE-2018-5502: On F5 BIG-IP versions 13↗2018-03-22

▶

💬Community

Bugzilla

CVE-2018-1000036 mupdf: memory leaks in the PDF parser↗2018-05-24

▶